Move nspawn containers into nspawn directory

2026-01-22 09:14:24 +01:00 · 2024-09-16 20:41:43 +02:00 · 2024-09-16 20:41:43 +02:00 · 5b1fc56176
commit 5b1fc56176
parent be488a91a7
14 changed files with 2 additions and 1 deletions
--- a/hosts/stratus/containers/nspawn/default.nix
+++ b/hosts/stratus/containers/nspawn/default.nix
@ -0,0 +1,94 @@
+{
+  config,
+  inputs,
+  self,
+  lib,
+  ...
+}:
+let
+  containers = lib.filterAttrs (_: v: v == "directory") (builtins.readDir ./.);
+  dataDirOf = name: "/data/${name}";
+in
+{
+  imports = lib.mapAttrsToList (name: _: ./${name}) containers;
+
+  sops.secrets = lib.mapAttrs' (
+    name: _: lib.nameValuePair "container/${name}/ssh-key" { }
+  ) containers;
+
+  systemd.tmpfiles.rules = lib.flatten (
+    lib.mapAttrsToList (name: _: [
+      "d ${dataDirOf name} - - -"
+      "d /var/lib/tailscale-${name} - - -"
+    ]) containers
+  );
+
+  networking = {
+    useDHCP = false;
+    bridges.br0.interfaces = [ "eno1" ];
+    interfaces."br0".useDHCP = true;
+
+    nat = {
+      enable = true;
+      internalInterfaces = [ "ve-+" ];
+      externalInterface = "br0";
+    };
+  };
+
+  containers = lib.mapAttrs (name: _: {
+    autoStart = true;
+    ephemeral = true;
+
+    privateNetwork = true;
+    enableTun = true;
+    hostBridge = "br0";
+
+    bindMounts = {
+      "/etc/ssh/ssh_host_ed25519_key".hostPath = config.sops.secrets."container/${name}/ssh-key".path;
+      ${dataDirOf name}.isReadOnly = false;
+      "/var/lib/tailscale" = {
+        hostPath = "/var/lib/tailscale-${name}";
+        isReadOnly = false;
+      };
+    };
+
+    specialArgs = {
+      inherit inputs self;
+      inherit (config.system) stateVersion;
+      inherit (config.networking) domain;
+      dataDir = dataDirOf name;
+    };
+    config =
+      {
+        self,
+        stateVersion,
+        domain,
+        ...
+      }:
+      {
+        imports = [ self.nixosModules.default ];
+
+        system = {
+          inherit stateVersion;
+        };
+
+        networking = {
+          inherit domain;
+          useHostResolvConf = false;
+          interfaces."eth0".useDHCP = true;
+        };
+        services.resolved.enable = true;
+
+        myConfig.sops = {
+          enable = true;
+          defaultSopsFile = ./${name}/secrets.yaml;
+        };
+
+        sops.secrets."tailscale-auth-key" = { };
+        myConfig.tailscale = {
+          enable = true;
+          ssh.enable = true;
+        };
+      };
+  }) containers;
+}
--- a/hosts/stratus/containers/nspawn/forgejo/backup.nix
+++ b/hosts/stratus/containers/nspawn/forgejo/backup.nix
@ -0,0 +1,59 @@
+{
+  config,
+  pkgs,
+  lib,
+  dataDir,
+  ...
+}:
+{
+  systemd.tmpfiles.rules = [ "d ${dataDir}/backup 750 forgejo forgejo -" ];
+
+  security.polkit = {
+    enable = true;
+    extraConfig = ''
+      polkit.addRule(function(action, subject) {
+        if (action.id == "org.freedesktop.systemd1.manage-units" &&
+          action.lookup("unit") == "forgejo.service" &&
+          subject.user == "forgejo") {
+          return polkit.Result.YES;
+        }
+      });
+    '';
+  };
+
+  myConfig.resticBackup.forgejo = {
+    enable = true;
+    user = config.users.users.forgejo.name;
+    healthchecks.enable = true;
+
+    extraConfig = {
+      backupPrepareCommand = ''
+        ${lib.getExe' pkgs.systemd "systemctl"} stop forgejo.service
+        ${lib.getExe' config.services.postgresql.package "pg_dump"} forgejo --format=custom --file=${dataDir}/backup/db.dump
+      '';
+      backupCleanupCommand = ''
+        ${lib.getExe' pkgs.systemd "systemctl"} start forgejo.service
+      '';
+      paths = [
+        "${dataDir}/home/custom"
+        "${dataDir}/home/data"
+        "${dataDir}/home/repositories"
+        "${dataDir}/home/.ssh"
+        "${dataDir}/backup"
+      ];
+      extraBackupArgs = [ "--exclude='${dataDir}/home/custom/conf/app.ini'" ];
+    };
+  };
+
+  environment.systemPackages = [
+    (pkgs.writeShellApplication {
+      name = "forgejo-restore";
+      text = ''
+        systemctl stop forgejo.service
+        sudo -u forgejo restic-forgejo restore --target / latest
+        sudo -u forgejo pg_restore --clean --if-exists --dbname forgejo ${dataDir}/backup/db.dump
+        systemctl start forgejo.service
+      '';
+    })
+  ];
+}
--- a/hosts/stratus/containers/nspawn/forgejo/default.nix
+++ b/hosts/stratus/containers/nspawn/forgejo/default.nix
@ -0,0 +1,46 @@
+{
+  containers.forgejo.config =
+    {
+      config,
+      lib,
+      dataDir,
+      ...
+    }:
+    {
+      imports = [ ./backup.nix ];
+
+      sops.secrets."forgejo-admin-password" = {
+        owner = config.users.users.forgejo.name;
+        inherit (config.users.users.forgejo) group;
+      };
+
+      systemd.tmpfiles.rules = [
+        "d ${dataDir}/home 750 forgejo forgejo -"
+        "d ${dataDir}/postgresql 700 postgres postgres -"
+      ];
+
+      services.postgresql.dataDir = "${dataDir}/postgresql";
+
+      services.forgejo = {
+        enable = true;
+        stateDir = "${dataDir}/home";
+
+        lfs.enable = true;
+        database.type = "postgres";
+        settings = {
+          server = {
+            DOMAIN = config.networking.fqdn;
+            ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/";
+          };
+          service.DISABLE_REGISTRATION = true;
+        };
+      };
+
+      systemd.services.forgejo.preStart = ''
+        create="${lib.getExe config.services.forgejo.package} admin user create"
+        $create --admin --email "sebastian.stork@pm.me" --username seb --password "$(cat ${config.sops.secrets.forgejo-admin-password.path})" || true
+      '';
+
+      myConfig.tailscale.serve = "3000";
+    };
+}
--- a/hosts/stratus/containers/nspawn/forgejo/secrets.yaml
+++ b/hosts/stratus/containers/nspawn/forgejo/secrets.yaml
@ -0,0 +1,35 @@
+tailscale-auth-key: ENC[AES256_GCM,data:9jqpLTuBWvonEsTuzxxtgOnw4bvjQG49wu6VrxwdnrwI7VmLcTcVzotyU+Vqsmys5dTMR5JtMLkN+OOw6zg=,iv:HM819F8A2W+5oBi+QLaRW//4kPKzmqG4EQicWm9aGKc=,tag:XzFSLI4WNGmgPBiffv4rXQ==,type:str]
+forgejo-admin-password: ENC[AES256_GCM,data:l/6pYXwUEsu6dvEXQAhN46dXk08XCk33G1GeoLrm,iv:Z635DD5ca4wZ9vO2VAlo1rzockKL/XC0/GrQPV/59XA=,tag:XZVQS5tOPdBfYAIURfZ5vQ==,type:str]
+restic:
+  environment: ENC[AES256_GCM,data:il37oo0OywyZR+YpculEzkdzDwE0eZ+X21oX2yZ7hDa/91a+bn3Y/HJVpnh0qaxraupoL9OQJeGevI6xW6MSmpjiutofUSPzqg0dbXuw4/lE54y1CZUn1rRNoTeUja8zcyA=,iv:irIAnO7tizrgkdvZLFJGbL5HYgLee1DHDrqsiCJFxSE=,tag:a7hLwMLtmtCZDm7vrdgZJg==,type:str]
+  password: ENC[AES256_GCM,data:tmzBte5NDAzTfqakXlNn8cctwfWq6xzOzoRJ7cAi,iv:R4wGPjQPV42p+i7lp6Q2LDThv8OKKCO462eOVMnlyO8=,tag:owA+MdJ0pEf+0cuAzHdUwA==,type:str]
+healthchecks-ping-key: ENC[AES256_GCM,data:oax0Kk4AYPnjMmZpSuWMvm0+6yPYzQ==,iv:CjrJ8ZdcB4MVzYPmeb2YB8FbEzm159koeaYmzTKo9q8=,tag:fj9Oo16FiX5D9UkkL94cKQ==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZejdhUzZyQ1RROGZmZUdX
+        UFR6NlBsbVZDMjJwM3pidi8waWNWVS9id2tnClBxQ3J6N0IwOGZ5eFZFZHU1ZEN3
+        YUh2c3VUd2xLa3NEdWUzdE1aOUZONFUKLS0tIHpGM1pMeUFQYytoQmdncHJWUHlz
+        L003dzV4Z0lTRllkVDJlSm16S1crMlUKtW70ZGOCC9iwfQ7kxzx+DT7l2qSub9Bf
+        VfdlHP1XHXhEw3Don3OLrzwaIzXBbfqGGtpd0rWIoxISqjguBulR9g==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age12k607dpdjt5dyq0w3hpgyfdyfrrfuutxgra0tgt8qja30er7cupsfps60n
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdVFCOUt0TDdOZnA1c3NZ
+        UDVJcUNUS3dqVmJMOVIra0tEVEJ5cjVNYnljCkcxMXF2SGJFRDVDeEFFTEh5dUdV
+        MkEzQXE3TjhHcUJjdXhGSHZyanpVZ1UKLS0tIERlVXNXNjV5OHdyeG5LdCtIVWNG
+        YzNSUG5HWStBemtRZ0s4NzNOOTZRWDAKJHKjfzIPOQUoizt5SffPP/n4d+hOfGLg
+        bXsKSa99E5JMxskzYZQGH0G4OLZrJEMzegRW0DsJtEFwj8YORmn6iw==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-09-14T10:12:04Z"
+  mac: ENC[AES256_GCM,data:6RKzMLVWCI9szPEXyJany873xSwIaWTR8Oi+L2+qIQC5JRpnvKYk8tnECcXJUO/dQehLtixNiofAuiNCbN/SD3tE7sppBfp/wgdfn6uZpl5rE6X3Gbdgj2+9/ANMjD2S+Vd02MSq4WVvGmtFWmYWFWhqeBS6X5slRs5ug6wRktg=,iv:ati1h8fB/iadMiEfNMb3vpiv/DKg5BUdMN3cHLi6Kj4=,tag:n02eCi3sdt8yMOeXB+5kCw==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0
--- a/hosts/stratus/containers/nspawn/nextcloud/backup.nix
+++ b/hosts/stratus/containers/nspawn/nextcloud/backup.nix
@ -0,0 +1,43 @@
+{
+  config,
+  pkgs,
+  lib,
+  dataDir,
+  ...
+}:
+{
+  systemd.tmpfiles.rules = [ "d ${dataDir}/backup 700 nextcloud nextcloud -" ];
+
+  myConfig.resticBackup.nextcloud = {
+    enable = true;
+    user = config.users.users.nextcloud.name;
+    healthchecks.enable = true;
+
+    extraConfig = {
+      backupPrepareCommand = ''
+        ${lib.getExe' config.services.nextcloud.occ "nextcloud-occ"} maintenance:mode --on
+        ${lib.getExe' config.services.postgresql.package "pg_dump"} nextcloud --format=custom --file=${dataDir}/backup/db.dump
+      '';
+      backupCleanupCommand = ''
+        ${lib.getExe' config.services.nextcloud.occ "nextcloud-occ"} maintenance:mode --off
+      '';
+      paths = [
+        "${dataDir}/home/data"
+        "${dataDir}/home/config/config.php"
+        "${dataDir}/backup"
+      ];
+    };
+  };
+
+  environment.systemPackages = [
+    (pkgs.writeShellApplication {
+      name = "nextcloud-restore";
+      text = ''
+        sudo -u nextcloud ${lib.getExe' config.services.nextcloud.occ "nextcloud-occ"} maintenance:mode --on
+        sudo -u nextcloud restic-nextcloud restore --target / latest
+        sudo -u nextcloud pg_restore --clean --if-exists --dbname nextcloud ${dataDir}/backup/db.dump
+        sudo -u nextcloud ${lib.getExe' config.services.nextcloud.occ "nextcloud-occ"} maintenance:mode --off
+      '';
+    })
+  ];
+}
--- a/hosts/stratus/containers/nspawn/nextcloud/default.nix
+++ b/hosts/stratus/containers/nspawn/nextcloud/default.nix
@ -0,0 +1,92 @@
+{
+  containers.nextcloud.config =
+    {
+      config,
+      inputs,
+      pkgs,
+      dataDir,
+      ...
+    }:
+    {
+      imports = [
+        ./email-server.nix
+        ./backup.nix
+      ];
+
+      sops.secrets."nextcloud/admin-password" = {
+        owner = config.users.users.nextcloud.name;
+        inherit (config.users.users.nextcloud) group;
+      };
+
+      systemd.tmpfiles.rules = [
+        "d ${dataDir}/home 750 nextcloud nextcloud -"
+        "d ${dataDir}/postgresql 700 postgres postgres -"
+      ];
+
+      services.postgresql.dataDir = "${dataDir}/postgresql";
+
+      services.nextcloud = {
+        enable = true;
+        package = pkgs.nextcloud29;
+        home = "${dataDir}/home";
+        hostName = config.networking.fqdn;
+
+        database.createLocally = true;
+        config = {
+          dbtype = "pgsql";
+          adminuser = "admin";
+          adminpassFile = config.sops.secrets."nextcloud/admin-password".path;
+        };
+
+        https = true;
+        settings = {
+          overwriteProtocol = "https";
+          trusted_proxies = [ "127.0.0.1" ];
+          log_type = "file";
+          default_phone_region = "DE";
+          maintenance_window_start = "2"; # UTC
+          defaultapp = "side_menu";
+        };
+
+        configureRedis = true;
+        maxUploadSize = "16G";
+        phpOptions."opcache.interned_strings_buffer" = "16";
+
+        autoUpdateApps = {
+          enable = true;
+          startAt = "04:00:00";
+        };
+        extraApps = {
+          inherit (config.services.nextcloud.package.packages.apps)
+            calendar
+            contacts
+            onlyoffice
+            memories
+            ;
+
+          twofactor_totp = pkgs.fetchNextcloudApp {
+            url = inputs.nextcloud-twofactor-totp.outPath;
+            sha256 = inputs.nextcloud-twofactor-totp.narHash;
+            license = "agpl3Plus";
+            unpack = true;
+          };
+          news = pkgs.fetchNextcloudApp {
+            url = inputs.nextcloud-news.outPath;
+            sha256 = inputs.nextcloud-news.narHash;
+            license = "agpl3Plus";
+            unpack = true;
+          };
+          side_menu = pkgs.fetchNextcloudApp {
+            url = inputs.nextcloud-side-menu.outPath;
+            sha256 = inputs.nextcloud-side-menu.narHash;
+            license = "agpl3Plus";
+            unpack = true;
+          };
+        };
+      };
+
+      environment.systemPackages = [ pkgs.ffmpeg ];
+
+      myConfig.tailscale.serve = "80";
+    };
+}
--- a/hosts/stratus/containers/nspawn/nextcloud/email-server.nix
+++ b/hosts/stratus/containers/nspawn/nextcloud/email-server.nix
@ -0,0 +1,22 @@
+{ config, ... }:
+{
+  sops.secrets."nextcloud/gmail-password" = { };
+
+  services.nextcloud.settings = {
+    mail_smtpmode = "sendmail";
+    mail_sendmailmode = "pipe";
+  };
+
+  programs.msmtp = {
+    enable = true;
+    accounts.default = {
+      auth = true;
+      tls = true;
+      host = "smtp.gmail.com";
+      port = "587";
+      user = "nextcloud.stork";
+      from = "nextcloud.stork@gmail.com";
+      passwordeval = "cat ${config.sops.secrets."nextcloud/gmail-password".path}";
+    };
+  };
+}
--- a/hosts/stratus/containers/nspawn/nextcloud/secrets.yaml
+++ b/hosts/stratus/containers/nspawn/nextcloud/secrets.yaml
@ -0,0 +1,37 @@
+tailscale-auth-key: ENC[AES256_GCM,data:HLRjtK6MXLSlzEsu76mUye9V9gAD4Grxbd0UU1RySEGekG4StMeO3yo+wHYHNU2UcRdZEW4OKaZyLbRCHpg=,iv:Kbey9sU5tCqH9pnas30bns1HyTGYlAL0pR3WcVeVvrY=,tag:NiFLtMWJ1FCN+EYR/ZHrrg==,type:str]
+nextcloud:
+  admin-password: ENC[AES256_GCM,data:RaFNoEJj2flmwIu2Q/5UgRbITve7CzFg8udQclJO,iv:d95Vo9HMRzmoSU3gcQqO5uP7yW6n7PF6Nx3s6A9bgmc=,tag:ruIW8Ov+wQPOPBWV61MnWw==,type:str]
+  gmail-password: ENC[AES256_GCM,data:RJXg4KYYwjg2CyzQM9wovDSqB8M=,iv:Tf8egrzoG3rRbzufJGHCTr6W+nCEnJJaSe6hpvr1AmM=,tag:GjlgIEqQDUtjn3mm1QT1uw==,type:str]
+restic:
+  environment: ENC[AES256_GCM,data:bYC7JBKvOMUdqB3X/Z9Nh4g8mhSJpqo63vU3zIrdSO+zlRF+PT+n4yofZe8D47Wz46YGAfwnKXGvAy2WQwHsDcMfdWW85e/1ttV5eESWMotSBM7WzpyFRjNDg+vCy4nWkWI=,iv:RVBMlsOwJCehMuJ2Hzls+gnzUIJM8MjdLu5uMJczugw=,tag:hds43pJX/hpBLwXTujiJ8w==,type:str]
+  password: ENC[AES256_GCM,data:yMs1EG39X1+RYcgeM3SFi38ypOU=,iv:vsEl9jLR3DcqRxJmH5cpIe1+I2W49Hj12oOfwrymznI=,tag:uevinZPEfj0J4KFkTLsV5g==,type:str]
+healthchecks-ping-key: ENC[AES256_GCM,data:3bLMIixDXZpCWfkuf8UbCovRvbtlIw==,iv:0G7oIezhyNDl7U9EXw2auvTvdxng6CAbAViXQSbzo+c=,tag:u1QWKdszu9dDLb6LZdAShA==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWFVKV0IzbVVTV1g1c3o1
+        ZnpwMTFyZ0RhcmhhNk8vd1dYWGdWZHZhNFVRCjE3MG9Wd0ZXNEtrRS84M3hMRVdk
+        T1BOczN0VmoybUs3dXJUR3FNc2swdlkKLS0tIEFXam96UGlJWnphVzVpRittSXNS
+        SDU0U0IwTTh6NHI2enZZTEwwd2lkQXMKsHAwayLHW3GfRc90sq0xhN1rF4RkvXSS
+        +WGyhmI0fik6NPyVN7DNaYhte2IoVJe3RTH2vJigpTLIIziMgTPgFQ==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSExmaW9CUGo0WWloZDha
+        c3ZUNy9xVXgvVkdzRHRjWFZERllycG41RENzCnZuazR2RW41VlJNWk9TZjcwcGpM
+        dnZQQTNSbDBieGhmOW5xU24xeVhpYjQKLS0tIHAzTDV2dHdDNnQ4ZC9ielM3Qyt1
+        aWFqYXYrMmJBbEQwQWxza1lrdmU4bmMKm0QbJP1QiNVOA7slpocaPxkq9orE8jrP
+        xxrDtRUZhvEOEZuCD61wWTfgdeI7SFWaSJkN6MgPlvRyuYQ+3TZh3Q==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-09-14T10:12:52Z"
+  mac: ENC[AES256_GCM,data:d+G+0m8WX9Fk3XmB+Hd4oSKgKYp6fGv9UIHhVIjy+XH0XNNZXFDCB2komQ/9K9EAuVDTfRspS2WJMT97o4CXEDiltz+iCfSGVL4TDpPjzOwEyyHJs9aD0cYoxLgL36H9OEDsf1tTAqy4tvRGJVWTNtXEh/og7pssH8hGXa2dqV4=,iv:aioBwBRPXVp/dLK536REJSi9tYFMTMqkKRHPfwmElXs=,tag:JZuaN4jAoybTLpZ9yX+khg==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0
--- a/hosts/stratus/containers/nspawn/onlyoffice/default.nix
+++ b/hosts/stratus/containers/nspawn/onlyoffice/default.nix
@ -0,0 +1,20 @@
+{
+  containers.onlyoffice.config =
+    { config, lib, ... }:
+    {
+      sops.secrets."onlyoffice-secret-key" = {
+        owner = config.users.users.onlyoffice.name;
+        inherit (config.users.users.onlyoffice) group;
+      };
+
+      nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "corefonts" ];
+
+      services.onlyoffice = {
+        enable = true;
+        hostname = "onlyoffice.stork-atlas.ts.net";
+        jwtSecretFile = config.sops.secrets."onlyoffice-secret-key".path;
+      };
+
+      myConfig.tailscale.serve = "8000";
+    };
+}
--- a/hosts/stratus/containers/nspawn/onlyoffice/secrets.yaml
+++ b/hosts/stratus/containers/nspawn/onlyoffice/secrets.yaml
@ -0,0 +1,31 @@
+tailscale-auth-key: ENC[AES256_GCM,data:rbESOOvhOWXx7fPsM4rfHZ83qiynHADz7QJjINfrPhpk7KddBkWpzfrHzsUszNEo3jaWOx67G71rhRZxEA==,iv:8PYmou/U2jsYenxk+APYlW4w4WhTSzv95aV5qq4/5pQ=,tag:iukHBj3GQ/ePpzaasXGm4g==,type:str]
+onlyoffice-secret-key: ENC[AES256_GCM,data:FtIKFZrajzZ5nDTO1/JbJh9Kixo=,iv:l4rjxiNrdjGP1YRYp/QSEFn/1SOnN8i77dCYBRtb7lM=,tag:dbPD1otFzUDLTPvhXQowwQ==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZW5ZOUhRM1NYOS8yWTRh
+        andCVjNIWDA0c294WmxwRGd4b3BTcHZRK0JFCmJyS1Rsd1JxaUgvQ05xelVQYWEy
+        dExxejRQUUpwajhBcHlTRG04UHpVY1EKLS0tIGRGTDBDVzU2N0h1aFdEMHNzSUhU
+        SnhUM1BHUzV2TDJKaVFDbkJqUW5rRmsKtBWX5Qf1XexmRvZkATZkcW51HJCGmEzq
+        5A61eA/RIhRwdDCxR1omIzhUq+BId1MwjuygapIgLsaTkUWnfKltNA==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age1es9tg5225aum5k5ahu8u9q0jprzzte6d64jmwxr2w33ylctqs4lqykdtx5
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUG1PTEN1Y1JjaVJrc3VW
+        OTN5eEt0SXg2VmZzOTNUMVlQaHZlaFd4Y1FvCkxRejFqOGYzbnR1UDBVMllqYTJt
+        Q2RXeW5tSEFiTVRMTFVtR00zQ1crQXMKLS0tIFFQTFYzQWlhbzVkNmUzM3Y0ejFj
+        V0V4ZkNucExLUGZVWUFuTWdaN3hSTkEKAJy3TKI+oUJS+1A2f47ck2xiOcW7TsFl
+        UCAaT19sZHVjaF/0CoPVmOZ3H5t3lh7BRo7di1TACr1TjYfCxEYRVw==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-09-14T10:13:24Z"
+  mac: ENC[AES256_GCM,data:JuCYiDYHt7lO5i+XbXkuOFFmfGNmmhdEoLrUTHpHA/ex9goRwPLwQ8KcmSonf3cIT7+d/U+sv3U77zCPaVzI848a7liyXnxByulRkUUdnhoqUtGt4bNE+gBq/+y2jsb8QGJIeotHoQS+gEIGnKCv2OAP0RBNfveyYvzedoDVfmo=,iv:AHbzDqLXgngiQZPiv581dNPtKNQzEWGnXkHWgAj+oTc=,tag:qe1lfXkLOq4c/5z62wkk6g==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0
--- a/hosts/stratus/containers/nspawn/paperless/backup.nix
+++ b/hosts/stratus/containers/nspawn/paperless/backup.nix
@ -0,0 +1,43 @@
+{
+  config,
+  pkgs,
+  lib,
+  dataDir,
+  ...
+}:
+{
+  systemd.tmpfiles.rules = [ "d ${dataDir}/backup 700 paperless paperless -" ];
+
+  users.users.paperless.extraGroups = [ "redis-paperless" ];
+
+  myConfig.resticBackup.paperless = {
+    enable = true;
+    user = config.users.users.paperless.name;
+    healthchecks.enable = true;
+
+    extraConfig = {
+      backupPrepareCommand = ''
+        ${dataDir}/paperless-manage document_exporter ${dataDir}/backup ${
+          lib.concatStringsSep " " [
+            "--compare-checksums"
+            "--delete"
+            "--split-manifest"
+            "--use-filename-format"
+            "--no-progress-bar"
+          ]
+        }
+      '';
+      paths = [ "${dataDir}/backup" ];
+    };
+  };
+
+  environment.systemPackages = [
+    (pkgs.writeShellApplication {
+      name = "paperless-restore";
+      text = ''
+        sudo -u paperless restic-paperless restore --target / latest
+        sudo -u paperless ${dataDir}/paperless-manage document_importer ${dataDir}/backup
+      '';
+    })
+  ];
+}
--- a/hosts/stratus/containers/nspawn/paperless/default.nix
+++ b/hosts/stratus/containers/nspawn/paperless/default.nix
@ -0,0 +1,22 @@
+{
+  containers.paperless.config =
+    {
+      config,
+      dataDir,
+      ...
+    }:
+    {
+      imports = [ ./backup.nix ];
+
+      sops.secrets."paperless-admin-password" = { };
+
+      services.paperless = {
+        enable = true;
+        inherit dataDir;
+        passwordFile = config.sops.secrets."paperless-admin-password".path;
+        settings.PAPERLESS_OCR_LANGUAGE = "deu+eng";
+      };
+
+      myConfig.tailscale.serve = "28981";
+    };
+}
--- a/hosts/stratus/containers/nspawn/paperless/secrets.yaml
+++ b/hosts/stratus/containers/nspawn/paperless/secrets.yaml
@ -0,0 +1,35 @@
+tailscale-auth-key: ENC[AES256_GCM,data:qXVu6U3gcDUq0+eWAtgFn8CZja9Dc4r3z7qZoaAqDm7r8uqpZsZ7JaX3AIBeipvRrBG11IDabP5DM38D8PQ=,iv:FKf7duFw+cV1wH2fd2oDNkbuokuQxgOW0gHgR+oSc7U=,tag:1aOb8XOL61cn/ESW3I/ocQ==,type:str]
+paperless-admin-password: ENC[AES256_GCM,data:7xjn0fXEFZCYDvzjP7P5R5reZR8=,iv:jMIJNbqEo7IcHDYwvTmQnArYdt2PR9tp8coOXCZHkQw=,tag:kCejUFStTuosRblkbQMdew==,type:str]
+restic:
+  environment: ENC[AES256_GCM,data:JRwMFhbVLg4hkmJsNw+yNdCBX3Cud5ADbGL+nkRFUjpMkF1c3JubWnNI4lG/ehfJ0GJmHveOyMD304XEykPWuK89KVNNmqTuaa2hGUIykQPyqAqvkChOsOZAfGA/gHrC8tY=,iv:xsXanfAtI8ppOxwtsu89+3KWwNXtXPyT1k+Toe6f6Vw=,tag:hUO7jaTgzX+z4eiLK9CQ7g==,type:str]
+  password: ENC[AES256_GCM,data:txtSW2r1HTFeZXEmkkMBYhPkdms=,iv:kTI52zpI7vUU6IxO/qwzoAtdNZnHrhU69WovA1dBYi0=,tag:6XF1BUOA2Brao/qR3DNe0g==,type:str]
+healthchecks-ping-key: ENC[AES256_GCM,data:HihujYrVxFEXF5PnPscigc7vXWM8kg==,iv:T6JmbIjcMjfHKssR5tJrlfQGivqGDWz5d80PQORNLH4=,tag:2Gkddfksi5QPnFK1JFip2g==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTmZLR2JOM1p2S2lxYkts
+        WTE2OFlRUXJ0a01EOUd3Mythc3R1d3llTTNrCkJQWVY1bGlFbThaL0plTWhwYUJK
+        WDlQNjFzZGhIS3ZlaHZiYytQdFo5WWMKLS0tIGZ3VDRTQlFHT2IwVkFIb0lwOXhT
+        dm9QRndWZXE0L0drS3JzMGF0c2x1S1kKXuxMaVAcbRwR4/QZnIUdb3wyRujYAy2I
+        8/FYL5r9PuNwhEv1Ene+dj8nkx1G+stTZmgepOS9Z0AyIvfDW6FS8g==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNMVVzZUl5WVc3VVZudmVj
+        UkVDd2pYUU50MDBHRnZ4Sis5K28wV1RwNlQ4CmhONVd3Wkh5ZHlYSDYzeHlLMGdF
+        VUxiS2JWS2lwQVY2OHYwSk1UdGNSeUkKLS0tIGRSZVJ2U1J6azQveHJkRmViVnNs
+        cmFJeFpHdnRzMFA2a1NML1A1RFB6clEK+FH8x1dccz8TnUuEFc0EkTSzG6Ody0IF
+        tCNrHN2h3AzqYxKFYucquMmnE9WGJuzShijIXAv1W7JE2JZw9XnS4w==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-09-14T10:14:08Z"
+  mac: ENC[AES256_GCM,data:f4Qi8ES+cZG9dBwVnOErmZ5FQZOpQ5aoU60CEvD/TlLpdnQ/V/ZbiAq0xCP8VT1Jxas6szZaFaArxWrRWeFQsdhYUn+4CyNhABCe6MXllMHIN9gfmKAvE9LCz2UzgbCZkjprPFsGIKusSzDZhSaNe5azI9TQaHdqG2T0eLKrkpc=,iv:L5tBbbOC3/3YQJqFSZk/SpaYll89bWXb1pdE2eAF2G0=,tag:8FbE7yrdlo/d1NXnwAuArQ==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0